

<!DOCTYPE html>
<html lang="zh-CN" data-default-color-scheme=auto>



<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="https://img.mkerosene.cn/touxiang.jpg">
  <link rel="icon" href="https://img.mkerosene.cn/touxiang.jpg">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
    <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
  
  <meta name="theme-color" content="#2f4154">
  <meta name="author" content="Kerosene W">
  <meta name="keywords" content="">
  
    <meta name="description" content="SCTF-个人能力认证-wpMiscThe_is_A_tree 题目数据为二叉树，进行前序遍历  123456789import osList &#x3D; []for root, dirs, files in os.walk(&amp;#x27;.&#x2F;erchashu&amp;#x27;):    f &#x3D; open(root+&amp;#x27;&#x2F;data&amp;#x27;, &amp;#x27;r&amp;#x27;)    # print(root">
<meta property="og:type" content="article">
<meta property="og:title" content="SCTF-个人能力认证-wp">
<meta property="og:url" content="http://example.com/2021/12/25/SCTF-%E4%B8%AA%E4%BA%BA%E8%83%BD%E5%8A%9B%E8%AE%A4%E8%AF%81-wp/index.html">
<meta property="og:site_name" content="追求源于热爱">
<meta property="og:description" content="SCTF-个人能力认证-wpMiscThe_is_A_tree 题目数据为二叉树，进行前序遍历  123456789import osList &#x3D; []for root, dirs, files in os.walk(&amp;#x27;.&#x2F;erchashu&amp;#x27;):    f &#x3D; open(root+&amp;#x27;&#x2F;data&amp;#x27;, &amp;#x27;r&amp;#x27;)    # print(root">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://img.mkerosene.cn/image-20211225164001159.png">
<meta property="og:image" content="https://img.mkerosene.cn/image-20211225164245498.png">
<meta property="og:image" content="https://img.mkerosene.cn/image-20211225164534927.png">
<meta property="og:image" content="https://img.mkerosene.cn/image-20211225165405303.png">
<meta property="og:image" content="https://img.mkerosene.cn/image-20211225165715109.png">
<meta property="og:image" content="https://img.mkerosene.cn/image-20211225165816920.png">
<meta property="og:image" content="https://img.mkerosene.cn/image-20211225170026032.png">
<meta property="og:image" content="https://img.mkerosene.cn/image-20211225170547190.png">
<meta property="og:image" content="https://img.mkerosene.cn/image-20211225170749325.png">
<meta property="article:published_time" content="2021-12-25T08:31:35.000Z">
<meta property="article:modified_time" content="2021-12-26T00:22:20.082Z">
<meta property="article:author" content="Kerosene W">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://img.mkerosene.cn/image-20211225164001159.png">
  
  
  <title>SCTF-个人能力认证-wp - 追求源于热爱</title>

  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/css/bootstrap.min.css" />


  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/github-markdown-css@4/github-markdown.min.css" />
  <link  rel="stylesheet" href="/lib/hint/hint.min.css" />

  
    
    
      
      <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/highlight.js@10/styles/github-gist.min.css" />
    
  

  
    <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.css" />
  


<!-- 主题依赖的图标库，不要自行修改 -->

<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_ba1fz6golrf.css">



<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_kmeydafke9r.css">


<link  rel="stylesheet" href="/css/main.css" />

<!-- 自定义样式保持在最底部 -->


  <script id="fluid-configs">
    var Fluid = window.Fluid || {};
    var CONFIG = {"hostname":"example.com","root":"/","version":"1.8.13","typing":{"enable":true,"typeSpeed":70,"cursorChar":"_","loop":false},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"right","visible":"hover","icon":"❡"},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"copy_btn":true,"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":0},"lazyload":{"enable":true,"loading_img":"https://img.mkerosene.cn/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":true,"baidu":null,"google":null,"gtag":null,"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":"FI1uAFAYz0Q3MPDiORqd0JAN-gzGzoHsz","app_key":"EhKAjMe3bmq0WLTSgktGg2OC","server_url":null,"path":"window.location.pathname","ignore_local":false}},"search_path":"/local-search.xml"};
  </script>
  <script  src="/js/utils.js" ></script>
  <script  src="/js/color-schema.js" ></script>
</head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">
    <a class="navbar-brand" href="/">
      <strong>mKerosene</strong>
    </a>

    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/">
                <i class="iconfont icon-home-fill"></i>
                首页
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/archives/">
                <i class="iconfont icon-archive-fill"></i>
                归档
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/categories/">
                <i class="iconfont icon-category-fill"></i>
                分类
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/tags/">
                <i class="iconfont icon-tags-fill"></i>
                标签
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/links/">
                <i class="iconfont icon-link-fill"></i>
                友链
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/about/">
                <i class="iconfont icon-user-fill"></i>
                关于
              </a>
            </li>
          
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
              &nbsp;<i class="iconfont icon-search"></i>&nbsp;
            </a>
          </li>
        
        
          <li class="nav-item" id="color-toggle-btn">
            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">&nbsp;<i
                class="iconfont icon-dark" id="color-toggle-icon"></i>&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="banner" id="banner" parallax=true
         style="background: url('https://img.mkerosene.cn/default.png') no-repeat center center;
           background-size: cover;">
      <div class="full-bg-img">
        <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0.3)">
          <div class="page-header text-center fade-in-up">
            <span class="h2" id="subtitle" title="SCTF-个人能力认证-wp">
              
            </span>

            
              <div class="mt-3">
  
  
    <span class="post-meta">
      <i class="iconfont icon-date-fill" aria-hidden="true"></i>
      <time datetime="2021-12-25 16:31" pubdate>
        2021年12月25日 下午
      </time>
    </span>
  
</div>

<div class="mt-1">
  
    <span class="post-meta mr-2">
      <i class="iconfont icon-chart"></i>
      3.8k 字
    </span>
  

  
    <span class="post-meta mr-2">
      <i class="iconfont icon-clock-fill"></i>
      
      
      12 分钟
    </span>
  

  
  
    
      <!-- LeanCloud 统计文章PV -->
      <span id="leancloud-page-views-container" class="post-meta" style="display: none">
        <i class="iconfont icon-eye" aria-hidden="true"></i>
        <span id="leancloud-page-views"></span> 次
      </span>
    
  
</div>

            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid nopadding-x">
  <div class="row nomargin-x">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-x-md">
      <div class="container nopadding-x-md" id="board-ctn">
        <div class="py-5" id="board">
          <article class="post-content mx-auto">
            <!-- SEO header -->
            <h1 style="display: none">SCTF-个人能力认证-wp</h1>
            
              <p class="note note-info">
                
                  本文最后更新于：1 年前
                
              </p>
            
            <div class="markdown-body">
              <h1 id="SCTF-个人能力认证-wp"><a href="#SCTF-个人能力认证-wp" class="headerlink" title="SCTF-个人能力认证-wp"></a>SCTF-个人能力认证-wp</h1><h2 id="Misc"><a href="#Misc" class="headerlink" title="Misc"></a>Misc</h2><h3 id="The-is-A-tree"><a href="#The-is-A-tree" class="headerlink" title="The_is_A_tree"></a><strong>The_is_A_tree</strong></h3><ul>
<li>题目数据为二叉树，进行前序遍历</li>
</ul>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">import</span> os<br><span class="hljs-type">List</span> = []<br><span class="hljs-keyword">for</span> root, dirs, files <span class="hljs-keyword">in</span> os.walk(<span class="hljs-string">&#x27;./erchashu&#x27;</span>):<br>    f = <span class="hljs-built_in">open</span>(root+<span class="hljs-string">&#x27;/data&#x27;</span>, <span class="hljs-string">&#x27;r&#x27;</span>)<br>    <span class="hljs-comment"># print(root)</span><br>    <span class="hljs-type">List</span>.append(f.read())<br>    f.close()<br>s = <span class="hljs-string">&#x27;&#x27;</span>.join(<span class="hljs-type">List</span>)<br><span class="hljs-built_in">print</span>(s)<br></code></pre></td></tr></table></figure>

<ul>
<li>得到<code>Q2hpbmVzZSB0cmFkaXRpb25hbCBjdWx0dXJlIGlzIGJyb2FkIGFuZCBwcm9mb3VuZCEgU28gSSBXYW50IEdpdmUgWW91IE15IEZsYWcgQnV0IFlvdSBOZWVkIERlY29kZSBJdC5FbmpveSBUaGUgRmxhZyEhOuW4iCDlhZEg5aSNIOaNnyDlt70g6ZyHIOaZiyDlp6Qg5aSn6L+HIOiuvCDlmazll5Eg6ZyHIOaBkiDoioIg6LGrIA==</code></li>
<li>base64解密</li>
</ul>
<p><img src="https://img.mkerosene.cn/image-20211225164001159.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211225164001159"></p>
<ul>
<li>直接搜找到类似题目[BJDCTF2020]伏羲六十四卦</li>
<li>借用脚本解出</li>
</ul>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><code class="hljs python">s = <span class="hljs-string">&#x27;师兑复损巽震晋姤大过讼噬嗑震恒节豫&#x27;</span><br>dic = &#123;<span class="hljs-string">&#x27;坤&#x27;</span>: <span class="hljs-string">&#x27;000000&#x27;</span>, <span class="hljs-string">&#x27;剥&#x27;</span>: <span class="hljs-string">&#x27;000001&#x27;</span>, <span class="hljs-string">&#x27;比&#x27;</span>: <span class="hljs-string">&#x27;000010&#x27;</span>, <span class="hljs-string">&#x27;观&#x27;</span>: <span class="hljs-string">&#x27;000011&#x27;</span>, <span class="hljs-string">&#x27;豫&#x27;</span>: <span class="hljs-string">&#x27;000100&#x27;</span>, <span class="hljs-string">&#x27;晋&#x27;</span>: <span class="hljs-string">&#x27;000101&#x27;</span>, <span class="hljs-string">&#x27;萃&#x27;</span>: <span class="hljs-string">&#x27;000110&#x27;</span>, <span class="hljs-string">&#x27;否&#x27;</span>: <span class="hljs-string">&#x27;000111&#x27;</span>, <span class="hljs-string">&#x27;谦&#x27;</span>: <span class="hljs-string">&#x27;001000&#x27;</span>, <span class="hljs-string">&#x27;艮&#x27;</span>: <span class="hljs-string">&#x27;001001&#x27;</span>, <span class="hljs-string">&#x27;蹇&#x27;</span>: <span class="hljs-string">&#x27;001010&#x27;</span>, <span class="hljs-string">&#x27;渐&#x27;</span>: <span class="hljs-string">&#x27;001011&#x27;</span>, <span class="hljs-string">&#x27;小过&#x27;</span>: <span class="hljs-string">&#x27;001100&#x27;</span>, <span class="hljs-string">&#x27;旅&#x27;</span>: <span class="hljs-string">&#x27;001101&#x27;</span>, <span class="hljs-string">&#x27;咸&#x27;</span>: <span class="hljs-string">&#x27;001110&#x27;</span>, <span class="hljs-string">&#x27;遁&#x27;</span>: <span class="hljs-string">&#x27;001111&#x27;</span>, <span class="hljs-string">&#x27;师&#x27;</span>: <span class="hljs-string">&#x27;010000&#x27;</span>, <span class="hljs-string">&#x27;蒙&#x27;</span>: <span class="hljs-string">&#x27;010001&#x27;</span>, <span class="hljs-string">&#x27;坎&#x27;</span>: <span class="hljs-string">&#x27;010010&#x27;</span>, <span class="hljs-string">&#x27;涣&#x27;</span>: <span class="hljs-string">&#x27;010011&#x27;</span>, <span class="hljs-string">&#x27;解&#x27;</span>: <span class="hljs-string">&#x27;010100&#x27;</span>, <span class="hljs-string">&#x27;未济&#x27;</span>: <span class="hljs-string">&#x27;010101&#x27;</span>, <span class="hljs-string">&#x27;困&#x27;</span>: <span class="hljs-string">&#x27;010110&#x27;</span>, <span class="hljs-string">&#x27;讼&#x27;</span>: <span class="hljs-string">&#x27;010111&#x27;</span>, <span class="hljs-string">&#x27;升&#x27;</span>: <span class="hljs-string">&#x27;011000&#x27;</span>, <span class="hljs-string">&#x27;蛊&#x27;</span>: <span class="hljs-string">&#x27;011001&#x27;</span>, <span class="hljs-string">&#x27;井&#x27;</span>: <span class="hljs-string">&#x27;011010&#x27;</span>, <span class="hljs-string">&#x27;巽&#x27;</span>: <span class="hljs-string">&#x27;011011&#x27;</span>, <span class="hljs-string">&#x27;恒&#x27;</span>: <span class="hljs-string">&#x27;011100&#x27;</span>, <span class="hljs-string">&#x27;鼎&#x27;</span>: <span class="hljs-string">&#x27;011101&#x27;</span>, <span class="hljs-string">&#x27;大过&#x27;</span>: <span class="hljs-string">&#x27;011110&#x27;</span>, <span class="hljs-string">&#x27;姤&#x27;</span>: <span class="hljs-string">&#x27;011111&#x27;</span>, <span class="hljs-string">&#x27;复&#x27;</span>: <span class="hljs-string">&#x27;100000&#x27;</span>, <span class="hljs-string">&#x27;颐&#x27;</span>: <span class="hljs-string">&#x27;100001&#x27;</span>, <span class="hljs-string">&#x27;屯&#x27;</span>: <span class="hljs-string">&#x27;100010&#x27;</span>, <span class="hljs-string">&#x27;益&#x27;</span>: <span class="hljs-string">&#x27;100011&#x27;</span>, <span class="hljs-string">&#x27;震&#x27;</span>: <span class="hljs-string">&#x27;100100&#x27;</span>, <span class="hljs-string">&#x27;噬嗑&#x27;</span>: <span class="hljs-string">&#x27;100101&#x27;</span>, <span class="hljs-string">&#x27;随&#x27;</span>: <span class="hljs-string">&#x27;100110&#x27;</span>, <span class="hljs-string">&#x27;无妄&#x27;</span>: <span class="hljs-string">&#x27;100111&#x27;</span>, <span class="hljs-string">&#x27;明夷&#x27;</span>: <span class="hljs-string">&#x27;101000&#x27;</span>, <span class="hljs-string">&#x27;贲&#x27;</span>: <span class="hljs-string">&#x27;101001&#x27;</span>, <span class="hljs-string">&#x27;既济&#x27;</span>: <span class="hljs-string">&#x27;101010&#x27;</span>, <span class="hljs-string">&#x27;家人&#x27;</span>: <span class="hljs-string">&#x27;101011&#x27;</span>, <span class="hljs-string">&#x27;丰&#x27;</span>: <span class="hljs-string">&#x27;101100&#x27;</span>, <span class="hljs-string">&#x27;离&#x27;</span>: <span class="hljs-string">&#x27;101101&#x27;</span>, <span class="hljs-string">&#x27;革&#x27;</span>: <span class="hljs-string">&#x27;101110&#x27;</span>, <span class="hljs-string">&#x27;同人&#x27;</span>: <span class="hljs-string">&#x27;101111&#x27;</span>, <span class="hljs-string">&#x27;临&#x27;</span>: <span class="hljs-string">&#x27;110000&#x27;</span>, <span class="hljs-string">&#x27;损&#x27;</span>: <span class="hljs-string">&#x27;110001&#x27;</span>, <span class="hljs-string">&#x27;节&#x27;</span>: <span class="hljs-string">&#x27;110010&#x27;</span>, <span class="hljs-string">&#x27;中孚&#x27;</span>: <span class="hljs-string">&#x27;110011&#x27;</span>, <span class="hljs-string">&#x27;归妹&#x27;</span>: <span class="hljs-string">&#x27;110100&#x27;</span>, <span class="hljs-string">&#x27;睽&#x27;</span>: <span class="hljs-string">&#x27;110101&#x27;</span>, <span class="hljs-string">&#x27;兑&#x27;</span>: <span class="hljs-string">&#x27;110110&#x27;</span>, <span class="hljs-string">&#x27;履&#x27;</span>: <span class="hljs-string">&#x27;110111&#x27;</span>, <span class="hljs-string">&#x27;泰&#x27;</span>: <span class="hljs-string">&#x27;111000&#x27;</span>, <span class="hljs-string">&#x27;大畜&#x27;</span>: <span class="hljs-string">&#x27;111001&#x27;</span>, <span class="hljs-string">&#x27;需&#x27;</span>: <span class="hljs-string">&#x27;111010&#x27;</span>, <span class="hljs-string">&#x27;小畜&#x27;</span>: <span class="hljs-string">&#x27;111011&#x27;</span>, <span class="hljs-string">&#x27;大壮&#x27;</span>: <span class="hljs-string">&#x27;111100&#x27;</span>, <span class="hljs-string">&#x27;大有&#x27;</span>: <span class="hljs-string">&#x27;111101&#x27;</span>, <span class="hljs-string">&#x27;夬&#x27;</span>: <span class="hljs-string">&#x27;111110&#x27;</span>, <span class="hljs-string">&#x27;乾&#x27;</span>: <span class="hljs-string">&#x27;111111&#x27;</span>&#125;<br>li = []<br>k = <span class="hljs-number">0</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(s)):<br>    <span class="hljs-keyword">if</span> k == <span class="hljs-number">1</span>:<br>        k = <span class="hljs-number">0</span><br>        <span class="hljs-keyword">continue</span><br>    <span class="hljs-keyword">try</span>:<br>        li.append(dic[s[i]])<br>    <span class="hljs-keyword">except</span>:<br>        t = <span class="hljs-string">&#x27;&#x27;</span><br>        t = t+s[i]+s[i+<span class="hljs-number">1</span>]<br>        li.append(dic[t])<br>        k = <span class="hljs-number">1</span><br>ss = <span class="hljs-string">&#x27;&#x27;</span>.join(li)<br><span class="hljs-built_in">print</span>(ss)<br>enc = <span class="hljs-string">&#x27;&#x27;</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">0</span>, <span class="hljs-built_in">len</span>(ss), <span class="hljs-number">8</span>):<br>    enc += <span class="hljs-built_in">chr</span>(<span class="hljs-built_in">eval</span>(<span class="hljs-string">&#x27;0b&#x27;</span>+ss[i:i+<span class="hljs-number">8</span>]))<br><span class="hljs-built_in">print</span>(enc)<br></code></pre></td></tr></table></figure>

<p><img src="https://img.mkerosene.cn/image-20211225164245498.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211225164245498"></p>
<h2 id="Web"><a href="#Web" class="headerlink" title="Web"></a>Web</h2><h3 id="Loginme"><a href="#Loginme" class="headerlink" title="Loginme"></a><strong>Loginme</strong></h3><p><img src="https://img.mkerosene.cn/image-20211225164534927.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211225164534927"></p>
<ul>
<li><code>Only localhost can access</code>进入<code>http://124.71.166.197:18001/admin/index?id=1</code>需要加本地ip验证</li>
<li>常规思路burp抓包，添加xff无用</li>
<li>分析源码，发现xff及<code>x-client-ip</code>均被过滤</li>
</ul>
<figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs go"><span class="hljs-function"><span class="hljs-keyword">func</span> <span class="hljs-title">LocalRequired</span><span class="hljs-params">()</span> <span class="hljs-title">gin</span>.<span class="hljs-title">HandlerFunc</span></span> &#123;<br>	<span class="hljs-keyword">return</span> <span class="hljs-function"><span class="hljs-keyword">func</span><span class="hljs-params">(c *gin.Context)</span></span> &#123;<br>		<span class="hljs-keyword">if</span> c.GetHeader(<span class="hljs-string">&quot;x-forwarded-for&quot;</span>) != <span class="hljs-string">&quot;&quot;</span> || c.GetHeader(<span class="hljs-string">&quot;x-client-ip&quot;</span>) != <span class="hljs-string">&quot;&quot;</span> &#123;<br>			c.AbortWithStatus(<span class="hljs-number">403</span>)<br>			<span class="hljs-keyword">return</span><br>		&#125;<br>		ip := c.ClientIP()<br>		<span class="hljs-keyword">if</span> ip == <span class="hljs-string">&quot;127.0.0.1&quot;</span> &#123;<br>			c.Next()<br>		&#125; <span class="hljs-keyword">else</span> &#123;<br>			c.AbortWithStatus(<span class="hljs-number">401</span>)<br>		&#125;<br>	&#125;<br>&#125;<br></code></pre></td></tr></table></figure>

<ul>
<li>尝试搜索其他参数无果</li>
<li>转移分析<code>ClientIP()</code>，clone框架源码，搜索该函数</li>
</ul>
<p><img src="https://img.mkerosene.cn/image-20211225165405303.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211225165405303"></p>
<ul>
<li>添加<code>X-Real-IP</code>参数成功进入</li>
<li>定位到<code>structs.go</code></li>
</ul>
<img src="https://img.mkerosene.cn/image-20211225165715109.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211225165715109" style="zoom:67%;" />

<ul>
<li>id=0</li>
</ul>
<p><img src="https://img.mkerosene.cn/image-20211225165816920.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211225165816920"></p>
<ul>
<li>添加age请求参数，发现回显age内容</li>
</ul>
<p><img src="https://img.mkerosene.cn/image-20211225170026032.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211225170026032"></p>
<ul>
<li><code>route.go</code>存在templates字样，尝试payload = <code>?id=0&amp;age=&#123;&#123;2*2&#125;&#125;</code>时，500报错</li>
<li>查找资料</li>
</ul>
<p><img src="https://img.mkerosene.cn/image-20211225170547190.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211225170547190"></p>
<ul>
<li>尝试<code>&#123;&#123;.Username&#125;&#125;</code>成功回显“Admin”</li>
</ul>
<figure class="highlight handlebars"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs handlebars"><span class="xml">payload=?id=0&amp;age=</span><span class="hljs-template-variable">&#123;&#123;<span class="hljs-name">.Password</span>&#125;&#125;</span><br></code></pre></td></tr></table></figure>

<ul>
<li>得到flag</li>
</ul>
<p><img src="https://img.mkerosene.cn/image-20211225170749325.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211225170749325"></p>
<hr>

            </div>
            <hr>
            <div>
              <div class="post-metas mb-3">
                
                
              </div>
              
                <p class="note note-warning">
                  
                    本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://creativecommons.org/licenses/by-sa/4.0/deed.zh" rel="nofollow noopener noopener">CC BY-SA 4.0 协议</a> ，转载请注明出处！
                  
                </p>
              
              
                <div class="post-prevnext">
                  <article class="post-prev col-6">
                    
                    
                      <a href="/2022/02/02/Lombok%E6%B3%A8%E8%A7%A3/">
                        <i class="iconfont icon-arrowleft"></i>
                        <span class="hidden-mobile">Lombok常用注解</span>
                        <span class="visible-mobile">上一篇</span>
                      </a>
                    
                  </article>
                  <article class="post-next col-6">
                    
                    
                      <a href="/2021/12/08/Maven%E5%9F%BA%E6%9C%AC%E4%BD%BF%E7%94%A8/">
                        <span class="hidden-mobile">Maven基本使用</span>
                        <span class="visible-mobile">下一篇</span>
                        <i class="iconfont icon-arrowright"></i>
                      </a>
                    
                  </article>
                </div>
              
            </div>

            
              <!-- Comments -->
              <article class="comments" id="comments" lazyload>
                
                  
                
                
  <div id="twikoo"></div>
  <script type="text/javascript">
    Fluid.utils.loadComments('#comments', function() {
      Fluid.utils.createScript('https://cdn.jsdelivr.net/npm/twikoo@1/dist/twikoo.all.min.js', function() {
        var options = Object.assign(
          {"envId":"blog-3gentarg3e6a1b5e","region":"ap-shanghai","path":"window.location.pathname"},
          {
            el: '#twikoo',
            path: 'window.location.pathname',
            onCommentLoaded: function() {
              Fluid.plugins.initFancyBox('#twikoo .tk-content img:not(.tk-owo-emotion)');
            }
          }
        )
        twikoo.init(options)
      });
    });
  </script>
  <noscript>Please enable JavaScript to view the comments</noscript>


              </article>
            
          </article>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container" id="toc-ctn">
        <div id="toc">
  <p class="toc-header"><i class="iconfont icon-list"></i>&nbsp;目录</p>
  <div class="toc-body" id="toc-body"></div>
</div>

      </div>
    
  </div>
</div>

<!-- Custom -->


    

    
      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
      </a>
    

    
      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
    

    
  </main>

  <footer class="text-center mt-5 py-3">
  <div class="footer-content">
     <div class="copyright">&copy;2020 - 2021 By Kerosene.W</div> <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>Hexo</span></a> <i class="iconfont icon-love"></i> <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"><span>Fluid</span></a> 
  </div>
  
  <div class="statistics">
    
    

    
      
        <!-- LeanCloud 统计PV -->
        <span id="leancloud-site-pv-container" style="display: none">
            总访问量 
            <span id="leancloud-site-pv"></span>
             次
          </span>
      
      
        <!-- LeanCloud 统计UV -->
        <span id="leancloud-site-uv-container" style="display: none">
            总访客数 
            <span id="leancloud-site-uv"></span>
             人
          </span>
      

    
  </div>


  

  
</footer>


  <!-- SCRIPTS -->
  
  <script  src="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.js" ></script>
  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.css" />

  <script>
    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
    NProgress.start()
    window.addEventListener('load', function() {
      NProgress.done();
    })
  </script>


<script  src="https://cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js" ></script>
<script  src="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/js/bootstrap.min.js" ></script>
<script  src="/js/events.js" ></script>
<script  src="/js/plugins.js" ></script>

<!-- Plugins -->


  <script  src="/js/local-search.js" ></script>



  
    <script  src="/js/img-lazyload.js" ></script>
  



  



  
    <script  src="https://cdn.jsdelivr.net/npm/tocbot@4/dist/tocbot.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/anchor-js@4/anchor.min.js" ></script>
  
  
    <script defer src="https://cdn.jsdelivr.net/npm/clipboard@2/dist/clipboard.min.js" ></script>
  




  <script defer src="/js/leancloud.js" ></script>



  <script  src="https://cdn.jsdelivr.net/npm/typed.js@2/lib/typed.min.js" ></script>
  <script>
    (function (window, document) {
      var typing = Fluid.plugins.typing;
      var title = document.getElementById('subtitle').title;
      
        typing(title);
      
    })(window, document);
  </script>












  

  

  

  

  

  





<!-- 主题的启动项 保持在最底部 -->
<script  src="/js/boot.js" ></script>


</body>
</html>
